Adobe Working on Patches for Newly Discovered Zero-Day Code Flaws

Adobe Systems has confirmed it is working on a patch for critical zero-day vulnerabilities that are under attack in the wild.

Researchers at security firm FireEye first warned on Feb. 12 about a new exploit that can be used to compromise Adobe Reader. According to FireEye, if the vulnerability is successfully exploited, it will deploy two Dynamic Link Library files. The first file shows a fake error message and opens a decoy PDF document. The second file deploys a callback component that talks to a remote Internet domain.

“The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques,” according to FireEye. “Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader … and it creates the appropriate shell code based on the version found.”

According to Adobe’s security team, the vulnerabilities impact both Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. The attack is capable of bypassing the Adobe Reader sandbox, according to Zheng Bu, FireEye senior director of security researcher.

“Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message,” Adobe’s security team warned. “Adobe is in the process of working on a fix for these issues and will update this advisory when a date for the fix has been determined.”

It has been a busy few days for Adobe in regards to security. Last week, the company released updates for critical vulnerabilities impacting Flash Player that, if exploited, could enable an attacker to hijack a vulnerable system. Then on Feb. 12, the company released another update for Flash Player alongside a fix for its Shockwave Player product.

Adobe Reader’s ubiquity is what makes it a popular target for attackers, said Bogdan Botezatu, senior e-threat researcher at BitDefender.

“Since it’s free, chances are that users dealing with PDF documents will have it installed on their machine, along with the browser plug-in, so we’re talking of a significant pool of potential victims,” he told eWEEK. “It is also an issue for corporations, because they can’t simply block PDF files in the gateway firewall, as day-to-day operations require interaction with PDF documents via email or Web.

“Unlike Java updates, which might break compatibility with applications that are already deployed in companies, Reader updates are fully backward-compatible, so there is no excuse for (deciding against) deploying them immediately, unless the security policies in the respective company requires a full audit of all software before deployment,” Botezatu said.

Paul Ducklin, Sophos head of technology for the Asia-Pacific region, warned users to be careful what email attachments they open.

“Targeted attackers usually marry their attachments to your work or interests, so they don’t stand out as obviously as spams that promote cheap Viagra,” he blogged. “Nevertheless, even an attachment sent in a targeted attack is usually unsolicited or unexpected. If in doubt, leave it out.”